XamPro Privacy Policy

Your privacy is of paramount importance to us. This Privacy Policy outlines our legal obligations, the nature of the data we collect, how it is processed, and the rights of data subjects in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Introduction

XamPro, a proprietary software platform owned and operated by EduSoft LTD, is designed to facilitate examination proctoring and associated administrative services for UK-based schools and colleges. This Privacy Policy governs the collection, processing, and storage of personal data in accordance with applicable legal standards and regulatory obligations.

For the purposes of UK GDPR, EduSoft LTD acts as the Data Processor, while schools and local education authorities act as the Data Controllers. All schools must sign an explicit Data Processing Agreement (DPA) with EduSoft LTD before using XamPro, thereby consenting to the processing of personal data as described in this policy.

2. Legal Basis for Processing

We collect and process personal data under the following legal bases as set out in Article 6 of the UK GDPR:

  • Legitimate Interests: Processing is necessary to deliver our examination proctoring and SMS services to educational institutions.
  • Public Task: Schools and colleges act in the public interest when using our services.
  • Contractual Obligation: Data processing is required for fulfilling contractual agreements between EduSoft LTD and the educational institution.

3. Categories of Data Collected

The following categories of data are collected and processed by XamPro:

3.1 School and Staff Data

Data Category Purpose & Legal Justification
School Name Required for identification and administrative purposes.
DfE Number Ensures correct linkage with national education databases.
Primary Contact Information Used for official communication and support requests.
Local Authority Used for regulatory reporting and compliance.
Staff Title Used to define the role of staff members within the institution.
Legal Forename & Surname Required for staff identification and account creation.
Email Address Used for authentication, account recovery, and communication purposes.
Job Designation Required to assign appropriate user roles and permissions within the platform.

3.2 Student Data

Data Category Purpose & Legal Justification
Unique Pupil Number (UPN) Required for uniquely identifying students and ensuring accurate record-keeping.
Admission Number (AdNo) Used internally by schools to maintain admission records.
Legal Forename & Surname Essential for student identity verification and linking to examination results.
Date of Birth Ensures eligibility for age-restricted examinations and prevents duplicate records.
Gender Used for statistical reporting and compliance with examination board requirements.
Admission & Leavers Date Ensures accurate records for active and former students.
Staff Title Used to define the role of staff members within the institution.
Legal Forename & Surname Required for staff identification and account creation.
Email Address Used for authentication, account recovery, and communication purposes.
Job Designation Required to assign appropriate user roles and permissions within the platform.

4. Data Sharing and Security

EduSoft LTD does not sell or share personal data with third parties. However, data is shared in the following limited circumstances:

  • With SMS Service Providers: For schools using the SMS module, only the message content and recipient contact details (e.g., mobile/landline number) are shared with UK ICO-compliant SMS gateway providers.
  • Legal Compliance: We may disclose data where legally required, such as to law enforcement agencies or regulatory bodies.

Data security measures include:

  • All passwords are stored using SHA-2 hashing with salting.
  • Data is hosted on UK-based Amazon AWS servers with full compliance under the Data Protection Act 2018.
  • Data transmission is secured via Cloudflare web application filtering and load balancing.
  • End-to-end SSL encryption to secure all transmitted data.
  • Mandatory Two-Factor Authentication (2FA) for all system users, excluding students using the XamPro access codes.
  • All users must adhere to a strict password policy, requiring:
    • Minimum of 8 characters
    • Use of at least one special character
    • Cannot reuse previously used passwords

5. Data Retention & Deletion

Data is retained as follows:

  • Stored for the duration of the school’s subscription.
  • Upon termination, data is retained for 31 days before permanent deletion.
  • Schools may request data deletion at any time via a formal support request.
  • Schools may request a copy of the data we hold with written consent from the headteacher.

6. Changes to the Privacy Policy

EduSoft LTD reserves the right to update this Privacy Policy to reflect legal or regulatory changes, improvements to our services, or operational requirements. Any significant changes to this Privacy Policy will be communicated at the school level via the designated Data Controller and primary contacts within each subscribing institution.

Schools and subscription users will receive a formal notification outlining the specific amendments, the reason for the changes, and the date they take effect. This notification will be provided via email to the registered primary contacts, through system announcements within the XamPro platform, and via direct communication where applicable.

Schools are responsible for ensuring that their staff, students, and relevant stakeholders are informed of such updates. Continued use of XamPro after these changes take effect constitutes acceptance of the revised Privacy Policy.

EduSoft LTD reserves the right to update this Privacy Policy to reflect legal or regulatory changes, improvements to our services, or operational requirements. Any significant changes to this Privacy Policy will be communicated at the school level via the designated Data Controller and primary contacts within each subscribing institution.

Schools and subscription users will receive a formal notification outlining the specific amendments, the reason for the changes, and the date they take effect. Schools are responsible for ensuring that their staff, students, and relevant stakeholders are informed of such updates. Continued use of XamPro after these changes take effect constitutes acceptance of the revised Privacy Policy.

5. ICO Registration

EduSoft LTD is registered with the Information Commissioner's Office (ICO) under registration number ZB799468. This ensures compliance with UK GDPR and Data Protection Act 2018 regulations.

6. Contact Information

For privacy-related inquiries, contact:

Email: info@xampro.co.uk

If unresolved, you may escalate concerns to the ICO: www.ico.org.uk

7. Privacy Revisions

Last updated: 15 February 2025

Revision: 1.0.2

  • Broken hyperlink to privacy policy.
  • Clause 4. revised to include information pertaining to third-party SMS providers.